CVE-2026-6587Server-Side Request Forgery in Ragas

CWE-918Server-Side Request ForgeryCWE-117Improper Output Neutralization for LogsCWE-684Incorrect Provision of Specified Functionality4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vibrantlabsai Ragas
Timeline
Latest updateApr 19
PublishedApr 20

Description

A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5vibrantlabsai/ragas4 versions+3

🔴Vulnerability Details

2
VulDB
vibrantlabsai RAGAS up to 0.4.3 Collections util.py _try_process_local_file/_try_process_url retrieved_contexts server-side request forgery2026-04-19
GHSA
Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility2026-04-10

💬Community

1
Bugzilla
CVE-2026-34478 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames2026-04-10